To say that the spotlight shines bright on the Office of Personnel Management’s cybersecurity efforts is an understatement.
Ever since the agency has emerged from its 2015 breach, OPM’s role — and that of its chief information security officer — has been front and center in the federal government’s efforts to secure its information technology systems.
Chase — who took the CISO job in April of 2016 — spoke with FedScoop about OPM’s ongoing cybersecurity initiatives for the FedScoop Q&A series.
Editor’s note: The transcript has been edited for clarity and length.
FedScoop: How is OPM partnering with other stakeholders to move its cybersecurity initiatives forward, especially following May’s cybersecurity executive order?
Cord Chase: Ultimately the biggest thing is Department of Homeland Security’s service support, everything from Continuous Diagnostics and Mitigation to the EINSTEIN program to the [National Cybersecurity Assessment & Technical Services] assessment team coming on-site. We review implementation of our current continuous monitoring program, it provides feedback, we certainly share our best practices with them and they’re a big supporter for the Federal CISO Council.
Then the last thing I will say is our relationship with the inspector general here and GAO have been really important helping us validate where we stand from a risk management standpoint. … And the reports that they come out with, the timeline markers and some of their assessments throughout the year are just helpful for me to gather myself, communicate internally, communicate externally and set the right path to help reduce a lot of that risk there.
FS: How are IT modernization efforts informing your approach to cybersecurity?
CC: As far as supporting modernization, I’m a big, big supporter of innovation. I always think that there’s better ways to innovate, and it really comes down to supporting off-the-shelf products that are already pre-built, moving to cloud service providers and looking at other things that may be produced in Silicon Valley or some of the smaller companies that are out there that are up-and-coming. … Here at OPM, there’s been one very specific item that has been ensured of for everyone and that is to make sure that cybersecurity is part of all operational and infrastructure conversations. So as there is a conversation about the potential want to move to something more modern or to move to a service provider or to look at a new technology or any of those items, they have always, always invited cyber to the table to have those conversations.
I think the days of having something other than that are gone, not only for ourselves, but other agencies. But every agency has their own flavor, obviously. Here at OPM, we have retirement services, we have [Human Resources Solutions], we have [the National Background Investigations Bureau]. Each one of them has their own way and view of looking at things and how they process information and provide services to the government.
FS: What are some of the challenges with cybersecurity and risk assessment right now that you see no one is talking about?
CC: We have other business programs within OPM that have very specific missions to support the broader government: retirees, et cetera. They have ways that they do things. How do I take the information inside this unit and all the info-strategies and policies that have been created in making sure they understand what that is and ensuring that through communication that there’s no direct conflict between each other — and they are specifically aligned to what’s important?
So I’m not going to discuss system compliance or governance with the group without ensuring that they are fully aware of what I’m trying to talk to them about, that they have the capability to understand the risks that I’m discussing with them and then they can move on and implement whatever they need to based on the information they have at hand.
So, it’s not so much the policies that are being issued governmentwide that are a challenge. I think they’re very clearly written, very applicable to today’s modern environment. I don’t think it’s the lack of cyber experts out there. I know that we have opportunities, if budget is available, to procure appropriate tools. I feel like all those things are there. It really just becomes an internal communication process between the big unit and the small, internal units.
Is there anything that you would like to see on your wish list moving forward?
From an OPM perspective, a tools perspective, I feel like the cyber technologies have been pretty supportive and made themselves very available. And based on budget, I think that as we move forward as a program and as a government, that if we could just ensure collaboration amongst each other and break down some of the silos between interagency or even vendor-specific.
I think that the more we can share what we know with each other, the better we’ll make ourselves. [Having] more collaboration and communication would be my wish. I just think it’s always better to be more transparent with each other.
What advice do you have for anyone who is in a CISO role?
Expect the unexpected. Be patient and make sure you have enough time to read everything that’s out there. Once you can apply that and make it operational, the job gets easier. That’s just a matter of time.
Is there anything in the federal IT space right now that is bigger than cybersecurity?
The efforts of everybody for IT modernization, I think, is the biggest thing right now. I mean, it’s bigger than cyber. It’s so important that we begin to work to update a lot of this legacy equipment, understand where we are from the system development lifecycle perspectives and then begin to move forward and begin to implement — but also getting the right strategy from the very top as to how to do that is key.
But I know we’re moving there, and I know that the right leaders are there right now to get that going. Cyber is just a support role. We’re consultants. We’re there to advise. IT modernization is a necessity.